CVE-2026-42582
7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final, when decoding header blocks, the non-Huffman branch of io.netty.handler.codec.http3.QpackDecoder#decodeHuffmanEncodedLiteral may execute new byte[length] for a string literal before verifying that length bytes are actually present in the compressed field section. The wire encoding allows a very large length to be expressed in few bytes. There is no check that length <= in.readableBytes() before new byte[length]. This vulnerability is fixed in 4.2.13.Final.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| netty | netty | >= 4.2.0.Alpha1, < 4.2.13.Final | affected |
| io.netty | netty-codec-http3 | >= 4.2.0.Alpha1, < 4.2.13.Final | affected |
Weaknesses
- CWE-770: CWE-770: Allocation of Resources Without Limits or Throttling
- CWE-789: CWE-789: Memory Allocation with Excessive Size Value
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: yes
- Technical Impact: partial
Additional References
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.